Annual Holiday Malware Arrives

McAfee Avert's Vincent Gullotto downplayed the impact of Zafi.D, telling TechNewsWorld that after a burst at the start, the worm's spread appeared to have run its course as of today. Gullotto also downplayed the sophistication of the Zafi.D's social engineering.

By Jay Lyman
12/15/04 12:33 PM PT

They've become another symbol of the holiday season -- the menorah, the Christmas tree, the colors of Kwanzaa, and now the holiday worms that hide in online greetings, e-mails and Web sites.

This year's malicious software, or malware, arrived yesterday in the form of a new Zafi worm variant, Zafi.D, which purports to bear happy holidays but is really a self-spreading, mass-mailing virus that attacks Windows machines.

"People are expecting these things, and especially since e-mail worms can forge a name, it can look like a legitimate e-mail," said Sophos security consultant Carole Theriault, whose antivirus firm was estimating that more than one in every 10 e-mails on the Internet this week was infected by the "Christmas card virus."

Theriault added that while the spread of the Zafi.D worm was likely to subside somewhat following a significant spamming effort to launch it, other Zafi variants had been successful and persistent. Zafi.B, for example, was the second most prevalent worm of the year, according to Sophos.

"Zafis [variants] have stayed around for a long, long time," Theriault said.

Hazardous Holidays

Antivirus experts indicated that the Zafi.D worm was indicative of this year's trends in viruses, including the use of spamming to "seed" or start a spreading worm, and a refinement of the so-called "social engineering" tricks virus writers use to dupe victims.

Richard Stiennon, Webroot's vice president of threat research, told TechNewsWorld that while some security measures taken by Microsoft have helped improve Windows security, virus writers have polished their hoaxes as well.

"Half of all new malware developments are on the social engineering side," Stiennon said. "Now, obviously the holiday season is a good opportunity to get people to open things or lead them to a Web site."

Moving the Message

McAfee Avert Vice President Vincent Gullotto downplayed the impact of Zafi.D, telling TechNewsWorld that after a burst at the start, the worm's spread appeared to have run its course as of today.

Gullotto also downplayed the sophistication of the Zafi.D's social engineering, pointing instead to the significance of the MyDoom worm and its variants, which instead of enticing victims by telling them to click, sent a legitimate-looking error message to users. The technique has become a standard tactic for information-stealing attacks known as phishing.

"[MyDoom] changed the message completely," Gullotto said, calling the worm's outbreak the most significant of the past year.

While he called the MyDoom spoof "about as authentic as you can get," Gullotto also said users had become more savvy at responding to outbreaks this year.

"People were quicker to figure out this is a virus and I shouldn't open it," he said, referring to MyDoom.

Convenient, Corrupted

As for Zafi.D, Sophos said today that the virus was accounting for more than 75 percent of all virus reports sent to the company from around the world in the last day.

Believed to have originated in Hungary, the Zafi.D worm uses spoofed addresses that might look familiar to users, contains holiday messages in different languages, and once executed, copies and spreads itself.

Theriault said with many computer users looking to send and receive holiday messages, pictures and e-cards, it was no wonder the Zafi.D worm was having success.

Crediting businesses with better, gateway security, Theriault said home users were probably mostly responsible for the spread. The security expert added that once infected, compromised machines could be used to infect more users, turned into spam relays, or assembled for dedicated denial of service (DDoS) and other attacks.